Tuesday, June 21, 2016

Modern Public Folders in Multi-Tenant Environments

Modern Public Folders is a new feature introduced in Exchange 2013 and also available in Exchange 2016 to allow companies to leverage Database Availability Groups and utilise log shipping as opposed to SMTP for replication providing numerous advantages which we will not focus on in this article.

If you new to Modern Public Folders, here is a good article to get you started:

In this article, we will focus on Modern Public Folders in a multi-tenant environment. We will be going through how to achieve multi-tenancy with Microsoft Exchange 2013 / 2016.

It is important to note, there are numerous methods for setting up Public Folder in a multi tenant environment.

In the example below we have:

One root Public Folder per tenant/company

One Public Folder Mailbox per tenant/company

One security group to represent all users from each tenant/company

Access based enumeration to each tenant/company can only see their root level Public Folder.

With Exchange 2013 and Exchange 2016, the first Public Folder mailbox created is always deployed as the Master Hierarchy Mailbox. This mailbox is the only Public Folder mailbox with a writeable copy of the Public Folder hierarchy. All additional Public Folder mailboxes created contain a read-only copy of the hierarchy.

When we are talking about Hierarchy, we are not talking about Public Folder content, only the folder structure which makes up the Public Folders.

First thing we need to create is a master Public Folder Hierarchy mailbox. In a multi-tenant environment I generally recommend no content be placed in the master Public Folder Hierarchy mailbox and it only be used to maintain the writeable copy of the Public Folder Hierarchy.

As the first Public Folder mailbox created is always the Master Hierarchy, simply use the New-Mailbox command to create the mailbox. I always recommend clearly naming this mailbox so it is easily identifiable as the Public Folder Mailbox Hierarchy mailbox. This was done by giving it the name of "MasterHierarchy".

Next create a Public Folder mailbox for each tenant/company. The intent here is all content for each company will be stored in their respective public folder mailbox. In this example we will be using my company Avantgarde Technologies as an example tenant. I'm using the naming convention CompanyPF for each respective Public Folder mailbox.

Next create a new Public Folder at the root "\" of the Hierarchy. Make sure you specify the Public Folder mailbox you want to store the Public Folder in or by default Exchange will automatically pick any Public Folder mailbox which could be the Master Hierarchy mailbox or another tenants mailbox.

The name of the Public Folder specified below is the name the tenant will see in Outlook.

By default, all root public folders can be seen by all tenants. To ensure no tenants can see the "Avantgarde Technologies" root level Public Folder, remove the Default user Access Rights as shown in the screenshot below. This will ensure no one can see this Public Folder.

Lastly, ensure you have a Security Group containing all users from the tenant/company. Grant the group access to the root level Public Folder - I recommend Owner or PublishingEditor rights or refer to the following TechNet article about other Public Folder permissions you can grant here.

Only users of the "Avantgarde Users" security group will be able to see the root Public Folder Avantgarde Technologies and all other Tenants in the environment will be hidden to the Avantgarde Technologies employees.

To add additional tenants to the environment, repeat the process documented above. Make sure you ensure that:

All root level public folders have the default user permissions removed straight away to protect privacy of each tenant on your Exchange environment.

When creating the root level public folders in PowerShell you manually specify the correct Public Folder mailbox or Exchange will pick one at random.

All sub-folders created in Outlook will automatically append to the parents Public Folder mailbox.

One last thing I want to touch on is the "-DefaultPublicFolderMailbox" of the Set-Mailbox command. Many people when they initially go about setting up Public Folders for multi-tenant Exchange they think about creating a public folder mailbox for each tenant then using "-DefaultPublicFolderMailbox" for all user mailboxes of each tenant. Before writing this article I googled around to see if there was already an article similar, and saw people were attempting this incorrect method of deployment. The reason this approach will not work is as mentioned earlier, all Public Folder Mailboxes have a "read only" copy of the entire Public Folder Hierarchy (meaning all Public Folders in the Exchange Organisation). This means "yes they do have the Public Folder structure of other tenants/companies in the environment". We want to ensure tenants only see public folders related to their company by locking down permissions to meet privacy reasons.

I hope this article has been informative for you and I would like to thankyou for reading.

Hello, did you define "DefaultPublicFolderMailbox" to "AvantGardePF" for AvantGarde tenant mailboxes ? I tried on my environment and I'm not able to create subfolders on my tenant public folder mailbox. Error is : « Cannot create the folder. You do not have sufficient permission to perform this operation on this object.See the folder contact or your system administrator. ». Permission are OK, if I move the public folder to the master hierarchy PF mailbox and set defaultpublicfoldermailbox to mailbox it's working. I found this KB but with no effect : https://support.microsoft.com/en-us/kb/3035230 Thanks :)